Model Contracts are standard contractual clauses for the transfer of personal data outside the EU/EEA which have been approved by the European Commission. They have been approved on the basis that they provide sufficient safeguards for privacy, fundamental rights and the exercise of those rights. To date two sets of standard contractual clauses for the transfer of personal data outside the EU/EEA from data controllers to data controllers and one set for transfers from data controllers to data processors have been approved by the Commission.
Over the last 15 years, model contracts have been used to legitimise the transfer of personal data outside the EU/EEA, including to the US. Since the Court of Justice of the European Union (CJEU) declared the EU-US Safe Harbour regime invalid on 6 October 2015, some data protection authorities have, however, questioned the validity of model contracts.
The Article 29 Working Party (an independent advisory group set up under the EU Data Protection Directive composed of representatives of national data protection authorities, the European Commission and the European Data Protection Supervisor) issued a statement on Friday confirming, that pending further analysis by the Working Party on the impact of the CJEU’s decision, EU data protection authorities consider that model contracts can still be used.
The statement is intended to provide a collective and common position of national data protection authorities on the implementation of the CJEU’s decision. It will not prevent data protection authorities from investigating particular transfers. It is to be welcomed, however, as it removes at least in the short term, some of the uncertainty created by initial, individual statements of some data protection authorities in relation to the validity of model contracts.